Articles I've written

Account takeover in regional transportation system Lítačka

Just a few weeks ago, a new regional transportation system called Lítačka (a slang word for prepaid municipal transportation ticket used in some parts of the Czech Republic) was put into operation in Prague and the Central Bohemian Region. The system allows passengers to buy tickets in a mobile application, passengers can also pair their tickets with their payment cards so the validity of the prepaid ticket can later be checked by waving the card near random card readers in transportation vehicles. You could also steal a password reset link right from the unsuspecting user's browser.

(read more…)

Cracking passwords from the Mall.cz dump
January 2, 2018

You don't crack passwords using rainbow tables or brute-force attacks anymore. So this probably wasn't a plaintext leak, somebody have cracked 750k passwords and uploaded them online. I've tried cracking them too.

(read more…)

Upgrading existing password hashes
September 5, 2017

Still using MD5 or SHA-1 to store user passwords and want to gracefully migrate to e.g. bcrypt? Want to do it properly to protect all passwords in the database? Here's how.

(read more…)

All articles